ARRA - HITECH: Health Care Information Breach Notification Regulations Now In Effect

Have you had a health data security breach? Do you know what a health data breach is? Are you required to notify individuals impacted by the breach? Do you have to notify federal agencies of such breach?

Read on for more information regarding the Office for Civil Right (OCR) and Federal Trade Commission (FTC) regulations requiring health care providers and other health data business vendors to assess and in some cases notify and report health information data breaches under the new federal law created by ARRA-HITECH.

The new regulations went into effect on September 23, 2009 and September 24, 2009, respectively, with a full compliance date of February 22, 2010. Health care providers covered under HIPAA and third party users of health information, including personal health record (PHR) companies and vendors, PHR related entities, health 2.0 companies and other third party health data service providers, should examine the regulations and understand the impact on their business.

The regulations require entities to develop internal compliance processes to act upon and advise individuals of data breaches that pose a significant risk of financial, reputational or other harm to the affected individual. The OCR regulations apply mainly to covered entities and business associates under HIPAA and the FTC regulations apply mainly to PHR vendors and PHR related entities. The regulations define a "breach" and set forth the time frames and scope of notification required. The regulations require the tracking and reporting of such data breaches to OCR and FTC. Also, OCR has published separate guidance specifying the technology and methods that will render health information unusable, unreadable and undecipherable as defined under ARRA-HITECH.

OCR has provided a summary of the breach notification rule on its website. OCR has also published instructions for reporting breaches to the HHS Secretary. The instructions include details for reporting "Breaches Affecting 500 or More Individuals" and "Breaches Affecting Fewer than 500 Individuals." OCR will also maintain a list of reported breaches that impact 500 or more individuals. The FTC also has a section on its website providing information on its health breach notification rule.

Below are links to the full regulation text:

* OCR Interim Final Rule - Breach Notification for Unsecured Protected Health Information (45 CFR Part 160 and 164) 74 Fed. Reg. 42740 (Aug 24, 2009).

* OCR Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information 74 Fed. Reg. 19006 (April 27, 2009).

* Federal Trade Commission: Health Breach Notification Rule: Final Rule -- Issued Pursuant to the American Recovery and Reinvestment Act of 2009 -- Requiring Vendors of Personal Health Records and Related Entities To Notify Consumers When the Security of Their Individually Identifiable Health Information Has Been Breached (16 CFR Part 318) 74 Fed. Reg. 42962 (Aug 25, 2009). The FTC has also issued a Breach Notification Form.